Disclosure of remote code execution due to bug in miniupnpc



A buffer overflow enabling a significant data leak was discovered in miniupnpc. Combined with the then
recently-disclosed CVE-2015-6031 it enabled an RCE in miniupnpc which could have led to an RCE
in Bitcoin Core. This was fixed in Bitcoin Core 0.12,
released in February 2016.

This issue is considered Medium severity.

Details

CVE-2015-6031, disclosed in September 2015, made
it possible for a malicious UPnP server to remotely crash a Bitcoin Core process on the local
network at startup. See here for details. The fix
was pulled in Bitcoin Core and released in version
0.11.1, released in October 2015. UPnP was then
turned off by default.

CVE-2015-6031 disclosed a buffer overflow, which in addition to enabling a remote crash could have
made it possible to remotely execute code on a victim’s machine. While investigating this
possibility, Wladimir J. Van Der Laan found another buffer overflow in miniupnpc which enabled a
significant data leak. This was fixed by Wladimir in
miniupnpc in commit
4c90b87ce3d2517097880279e8c3daa7731100e6. The fix was then pulled into Bitcoin
Core and released as part of version 0.12.

This data leak did not disclose secret information (such as the wallet’s private keys) directly. But
combined with another stack overflow (such as the one disclosed in CVE-2015-6031) this made it
possible to trigger a remote code execution. Wladimir demonstrated this against Ubuntu’s miniupnpc
version 1.6-precise. The specific approach used in this exploit was however not directly portable
to Bitcoin Core.

Attribution

Credits go to Aleksandar Nikolic for identifying CVE-2015-0035 and to Wladimir J. Van Der Laan for
investigating its impact and discovering the second buffer overflow.

Timeline

2015-09-15 CVE-2015-0035 is
fixed and
disclosed.
2015-10-09 PR #6789 is merged in Bitcoin Core
2015-10-14 Wladimir’s remote code execution by leveraging the second buffer overflow is disclosed
to Ubuntu security and Bitcoin developers.
2015-10-15 Bitcoin Core 0.11.1 is
released
2015-10-26 The fix for the second buffer overflow is
merged into miniupnpc.
2015-12-18 The fix is pulled into Bitcoin Core.
2016-02-23 Bitcoin Core version 0.12 is
released.
2017-03-08 The last vulnerable Bitcoin Core Version (0.11.x) goes EOL
2024-07-03 Public disclosure


Related posts:

  1. Bitfarms to Buy Stronghold for $175M: Impact on Bitcoin Miners
  2. Stacks DEX aggregator Bitflow now live on Bitcoin L2
  3. Crypto News Digest by U.Today
  4. Immutable up 23.5% in 7 days despite market-wide volatility